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Abstract. We consider the problem of constructing optimal authentication 
codes with splitting. New infinite families of such codes are obtained. In 
particular, we establish the first known infinite family of optimal authentication 
codes with splitting that are secure against spoofing attacks of order two. 

1. Introduction. In the standard model of authentication theory [13, 14, 15, 18], a 
transmitter wants to send some information to a receiver across an insecure channel 
while an opponent with access to the channel wants to deceive the receiver. The 
opponent can either insert new messages into the channel, or intercept messages 
from the transmitter and modify them into his own. In each case, the opponent's 
goal is to deceive the receiver into believing that the new messages are authentic 
(coming from the transmitter). The first attack based on insertion of new messages 
is known as impersonation and the second attack based on modification of messages 
from the transmitter is known as substitution. 

More formally, let S denote the set of all source states, M be the set of all 
messages, and £ be the set of all encoding rules. All these are finite sets. A source 
state is the information the transmitter wishes to communicate to the receiver. An 
encoding rule is an injection from S to 2 M . The transmitter and receiver agree 
beforehand on a secret encoding rule e e £. To communicate a source state s 6 §, 
the transmitter determines M = e(s) (note that M C M) and chooses a message 
m £ M to send to the receiver. The receiver accepts the received message as 
authentic if there exists an M in the image of e containing the received message. 
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For the receiver to recover the source state, each encoding rule must satisfy the 
condition 

e(s) n e(s') = 0, for distinct s, s' E S. 

The triple (§,M, £) is called an authentication code, or A-code in short. 

An A-code (S,M, £) can be represented by an |£| x |S| matrix, whose rows are 
indexed by authentication rules, and columns indexed by source states, such that 
the entry in row e £ £ and column s £ § is e(s). 

For k an integer and X a finite set, we denote by ( fc ) the set of all fc-subsets of 
X. Research on authentication codes have focused on the case when every encoding 
rule is an injection from § to ( ) , for some positive c. Such an A-code is called a 
c-splitting A-code. A 1-splitting A-code is also known as an A-code without splitting, 
and a c-splitting A-code with c > 2 is known as an A-code with splitting. A-codcs 
with splitting arc useful for the analysis of authentication with arbitration [9], an 
extended model of authentication introduced by Simmons [16, 17] for the scenario 
when the transmitter and receiver may both be deceptive. 

In a spoofing attack of order i [10], the opponent observes i distinct messages sent 
by the transmitter through the insecure channel under the same encoding rule. The 
opponent then inserts a new message (distinct from the i messages already sent), 
hoping to have it accepted by the receiver as authentic. Within this framework, 
impersonation and substitution attacks are just spoofing attacks of order zero and 
one, respectively. While these attacks have been rather well studied for A-codes, 
less is known for the case of spoofing attacks of order i > 2, especially on c-splitting 
A-codes when c > 2. 

The probability distribution on the set of source states § induces a probability 
distribution on (^), i > 0. Given these probability distributions, the transmitter 
and receiver choose a probability distribution on £, called an encoding strategy. For 
any s £ § and e G £, the transmitter also chooses a probability distribution on 
e(s), called a splitting strategy. The opponent is assumed to know the encoding 
and splitting strategies. The transmitter and receiver chooses the encoding and 
splitting strategics to minimize the probability of being deceived by the opponent. 
We denote by P^ the probability that the opponent can deceive the receiver with 
a spoofing attack of order i. The following lower bound on P^ is known. 

Proposition 1.1 (Hubcr [7]). In a c-splitting A-code (§,M, £), 
for every i > 0. 

A c-splitting A-code is said to be (t — \)-fold secure against spoofing if Pd i = 
c(|§| — z)/(|M| — i), for all i, < % < t. For succinctness, we call such a code a 
(i, c)-splitting A-code. 

Huber [7] also showed that the number of encoding rules must be large enough 
if an A-code is to be (t — l)-fold secure against spoofing. 

Proposition 1.2 (Huber [7]). In a (t,c)- splitting A-code (S,M, £), 

1 ( |M| ) 
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For efficiency, we want the number of encoding rules in an A-code to be as small as 
possible. We call a (t, c)-splitting A-codc optimal if the lower bound in Proposition 
1.2 is met with equality. 

The main contribution of this paper is on the construction of optimal (t, c)- 
splitting A-codes with three source states, for c > 2 and t £ {2,3}. In particular, 
we show that the following two new families of A-codes exist: 

(i) (2, 5)-splitting A-codes with three source states and v messages, for all v 

1 mod 150, v 301. 

(ii) (3, 2)-splitting A-codes with three source states and v messages, for all v = 

2 mod 8. 

The (3, 2)-splitting A-codes we obtained is the first known infinite family of (t, c)- 
splitting A-codes with t > 2 and c > 1. We also prove that a (2, c)-splitting A-code 
with k source states and v messages exists for all sufficiently large v (with k and c 
fixed) . 

2. Preliminaries. This section serves to provide notions and results that are re- 
quired for our construction in subsequent sections. 
The ring Z/nZ is denoted Z„. 

2.1. Design-Theoretic Background. Huber [7] defined splitting t-designs, gen- 
eralizing the splitting 2-designs of Ogata et al. [12]. 

Definition 2.1. Let t, v, k, c, and A be positive integers, with t < k and ck < v. A 

splitting t-design, or more precisely, a splitting t-(v, k x c, A) design, is a pair (X, A) 
such that 

(i) X is a set of v elements, called points; 

(ii) A is a set of k x c arrays, called blocks, with entries from X, such that each 
point of X occurs at most once in each block; 

(iii) for every {xi : 1 < i < t} G (^f), there are exactly A blocks in which Xi, 
1 < i < t, occur in t different rows. 

Note that a splitting t-(v, k X 1, A) design coincides with the classical notion of a 
t-(v,k,X) design. Huber [7] proved the equivalence between splitting i-designs and 
optimal splitting A-codes. 

Theorem 2.2 (Huber [7]). There exists a splitting t-{v, k x c, 1) design if and only if 
there exists an optimal (t, c) -splitting A-code for k equiprobable source states, having 
V messages and (+)/c*u) encoding rules. 

The necessary divisibility conditions for the existence of splitting i-designs are as 
follows. 

Proposition 2.1 (Huber [7]). The necessary conditions for the existence of a split- 
ting t-{v, k x c, A) design are 

X (^ S ^j = mod ct ~ S Q ~ J > f or alls,0<s< t. 

Sometimes, the points of a splitting t-design (X, A) can be identified with the 
elements of an additive group T, so that X = T. If the set of blocks A can be 
generated by a set 23 C A, that is, 

A = U Be3 {B + g:geT}, 

then 23 is called a set of base blocks of (X,A). 
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Example 2.1. Let A = Z151. The set containing the single array 

/ 1 2 3 4 \ 
A=\ 5 13 59 105 118 
\ 28 67 73 112 134 / 

as a base block, generates the set of blocks A for a splitting 2-(151, 3 x 5, 1) design 
(X,A). 

Our constructions for splitting ^-designs also rely on group divisible designs 
(GDD). Let t. k, and v be nonnegative integers. A group divisible t-design of 
order v and block size k, denoted GDD(i, k, v), is a triple (X, 5, A) satisfying the 
following properties: 

(i) X is a set of v elements, called points; 

(ii) 9 = {G\ 1 . . . , G s } is a partition of X into subsets, called groups; 

(iii) A C ( fc ), whose elements are called blocks, such that each A S A intersects 
any group G G S in at most one point; 

(iv) every T G (^) containing at most one point from each group is contained in 
exactly one block. 

The type of a GDD(t,k,v) {X,$,A) is the multiset [|G| : G G 3]. We use the 
exponential notation to describe the type of a GDD: a GDD of type g™ 1 • • • g™ s is a 
GDD where there are exactly rii groups of size gi, 1 < i < s. 
We require the following result. 

Theorem 2.3 (Hanani [4], Brouwer e* aZ. [1], Mills [11], Ji [8]). 

(i) There exists a GDD(2,3,gn) of type g n if and only if n > 3, (n — l)g = 

mod 2. and n(n — l)g 2 = mod 6. 
(ii) There exists a GDD(2,4, gn) of type g n if and only if n > 4, (n — l).g 

i i mod 3, and n(n — l)g 2 = mod 12, with the exception of {g,n) £ {(2,4), 

(6,4)}. 

(iii) Forn > 3, n ^ 5, a GDD(3,4, gn) of type g n exists if and only if gn = mod 2 
and (n — l)(n — 2)g = mod 3. A GDD(3,4, 5g) of type g 5 exists when 
g = mod 2, g ^ 2, and .g ^ 10, 26 mod 48. 

Analogous to splitting t-designs, a "splitting" version of a GDD can be defined. 
This has been done by Wang [19] for t = 2. Here, we extend it to general t. 
A splitting group divisible t-design, denoted splitting GDD(£, k x c, v), is a triple 
(X, 9, A) satisfying the following properties: 

(i) X is a set of v elements, called points; 

(ii) G = {Gi, . . . , G s } is a partition of A" into subsets, called groups; 

(iii) A is a set of k x c arrays, called blocks, with entries from A, such that each 
point of A occurs at most once in each block; 

(iv) for every {xi : 1 < i < t} G (^f) containing at most one point from each group, 
there is exactly one block in which Xi, 1 < i < t, occur in t different rows. 

The type of a splitting GDD is defined in a fashion similar to that for a GDD. 

Splitting GDDs play an important role in the recursive constructions of splitting 
designs. The following is a straightforward extension of Wilson's Fundamental 
Construction for GDDs [21, 22] to splitting GDDs. 

Theorem 2.4 (Fundamental Construction). Let (A, *S,A) be a GDD(£, k, v). Sup- 
pose that for each block A G A, there exists a splitting GDD(£, k 1 x c, kc) of type c k , 
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{Xa,9a,"Ba), where 

X A = A x {l,...,c}, 
Sa = {Wx{1,...,c}:i£4 

t/ien i/iere exists a splitting GDD(i, fc' x c,vc) of type [c\G\ : G £ S] (X',S',.A'), 
w/iere 

X' = Xx{l,...,c}, 
S' = {Gx{l,...,c}:Ge3}, 
•A' = UAe^i23A- 

Since the trivial splitting GDD(t, kxc, kc) of type c fc (containing only one block) 
always exists for any t, fc, and c, we have the following. 

Corollary 2.1. If there exists a GDD(t, k, v) of type g™ 1 . . . g™ s , then there exists 
a splitting GDD(i, k x c, vc) of type {cg\) ni . . . (cg s ) ns . 

As shown by Gc et al. [3] , we can also fill in the groups of a splitting GDD with 
a splitting 2-design to obtain new splitting 2-dcsigns. 

Proposition 2.2 (Filling-In Groups). Let (X, 3, A) be a splitting GDD(2, k x c,v). 
If for each G £ S, there exists a splitting 2-(|G| + 1, k x c, 1) design, then there exists 
a splitting 2-(v + 1, k X c, 1) design. 

2.2. State of Affairs. The following theorem summarizes the state of knowledge 
on the existence of splitting t-dcsigns with A = 1 . 

Theorem 2.5 (Du [2], Ge et al. [3], Wang [19], Wang and Su [20]). The necessary 
divisibility conditions ( of Proposition 2.1) are also sufficient for the existence of a 
splitting 2-(v, k X c, 1) design when 

(i) (k, c) = (2, 2n), for any positive integer n; 

(ii) (k, c) = (2, 3), except for v = 10; 

(Hi) (fc, c) = (3, 2), except for v = 9; 

(iv) (fc, c) ~ (3,3), with the possible exception of v = 55; 

(v) (fc, c) = (4,2), with the possible exception of v e {49,385}. 

In addition, there exists a 2-(v, 3 x 4, 1) design for all v = 1 mod 96. 

3. Nonexistence and Asymptotic Existence. Let A be a positive integer. The 
complete (looplcss) multigraph on v vertices, denoted XK V , is the graph where every 
pair of distinct vertices is connected by A edges. Let G be a simple graph without 
isolated vertices. A G-design of order v and index A is a partition of edge set of XK V 
into subgraphs, each of which is isomorphic to G. If e(G) denotes the number of 
edges in G, and d(G) denotes the greatest common divisor of the degrees of vertices 
in G, then simple counting shows that the conditions 

(i) \v(v - 1) = mod 2e(G), and 

(ii) \{v - 1) = mod d(G) 

are necessary for the existence of a G-design of order v and index A. A celebrated 
result of Wilson [23] states that these necessary conditions are also asymptotically 
sufficient. 
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Theorem 3.1 (Wilson [23]). Let G be a simple graph without isolated vertices. 
Then there exists a constant vq depending only on G and X such that a G-design 
of order v and index X exist for all v > Vq satisfying Xv(v — 1) = mod 2e(G) and 
A(u-l) = 0mod d{G). 

Let Kkxc denote the complete /c-partitc graph, with each part having c vertices. 
A splitting 2-(v,k x c, A) design (X,A) is equivalent to a iffcxe-design of order v 
and index A through the following correspondence: 

(i) a point in X corresponds to a vertex in XK V , 

(ii) a block A € A corresponds to the complete fc-partite graph, where the i-th 
part contains c vertices corresponding to the c entries in row i of A, 1 < i < k. 

Applying Theorem 3.1 with G = K^xc then gives the following result on the 
asymptotic existence of splitting 2-designs. 

Corollary 3.1. There exists a constant vq depending only on k, c, and X, such 
that a splitting 2-(v, k x c, A) design exists for all v > vq satisfying Xv(v — 1) = 
mod c 2 k(k — 1) and X(v — 1) = mod c(k — 1). 

We end this section with a nonexistence result. Huang [6] has shown that the 
number of complete fc-partite graphs required to partition the edge set of K v is at 
least \(v — l)/(k— lj] . This has the following consequence. 

Proposition 3.1. There does not exist a splitting 2-((fc — l)c 2 + 1, k X c, 1) design, 
for all k,c > 2. 

Proof. Suppose a splitting 2-((fc — l)c 2 + 1, k X c, 1) design exists. The number of 
blocks in this splitting 2-dcsign is ((fc — l)c 2 + l)/k. This would mean that we 
can partition the edge set of K/^-i^+i m to ((k — l)c 2 + l)/k complete fc-partite 
subgraphs. This is impossible by Huang's result, since \(k — l)c 2 /(k — 1)] = c 2 > 
((fc-l)c 2 + l)/fc. □ 

The definite exceptions in Theorem 2.5 are special cases of Proposition 3.1. 

4. Splitting 2-Designs. In this section, we establish the existence of an infinite 
family of splitting 2-(v, 3x5,1) designs, and remove v = 385 as a possible exception 
from Theorem 2.5(v). 

Proposition 4.1. There exists a splitting 2-(w,3 x 5,1) design for all v = 1 mod 
150, except possibly when v = 301. 

Proof. A splitting 2-(151, 3x5,1) design is exhibited in Example 2.1, so let v > 451. 
Write v = 150m + l, for some integer m > 3. A GDD(2, {3}, 30m) of type 30™ exists 
by Theorem 2.3(i). Apply Corollary 2.1 to obtain a splitting GDD(2,3 x 5,150m) 
of type 150™. Now fill in the groups of this splitting GDD with a splitting 2- 
(151,3 x 5,1) design (which has been constructed in Example 2.1) to obtain a 
splitting 2-(150fc +1,3x5,1) design. □ 

Proposition 4.2. There exists a splitting 2-(385, 4 x 2,1) design. 

Proof. A GDD(2, {4}, 192) of type 48 4 exists by Theorem 2.3(h). Apply Corollary 
2.1 to obtain a splitting GDD(2,4 x 2,384) of type 96 4 . Now fill in the groups of 
this splitting GDD with a splitting 2-(97, 4x2,1) design (which exists by Theorem 
2.5) to obtain a splitting 2-(385,4 x 2, 1) design. □ 
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5. Splitting 3-Designs. In this section, we establish the existence of the first 
known infinite family of splitting 3-designs with c > 1. 

Let t, k, and v be nonnegative integers. A (t, fc) candelabra system of order v is 
a quadruple (A, S,Q,A) that satisfies the following properties: 

(i) A is a set of v elements, called points; 

(ii) SCI, called the stem; 

(iii) 9 = {Gi, . . . , G m } is a partition of X \ S (elements of 9 are called groups); 

(iv) A C , whose elements are called blocks; 

(v) every T G (*) with \T fl (S U Gj)| < i for all i, is contained in a block in A 
The type of a (i, fc) candelabra system (X, S,5,A) is the multiset [\G\ : G G 9]- A 
(t, fc) candelabra system of type g™ 1 ■ ■ • with a stem of size s is denoted (t, fc)- 

Here, we introduce the notion of splitting candelabra systems. 
A splitting (t, k x c) candelabra system of order v is a quadruple (A, S, 5, A) that 
satisfies the following properties: 

(i) A is a set of v elements, called points; 

(ii) SCI, called the stem; 

(iii) 9 = {Gi, . . . , G m } is a partition of X \ S (elements of 9 are called groups); 

(iv) A is a set of k x c arrays, called blocks, with entries from A, such that each 
point of A occurs at most once in each block; 

(v) for every {xi : 1 < i < t} G (f ) with \T n (5 U G;)| < t for all i, there is 
exactly one block in which Xi, 1 < i < t, occur in t different rows. 

We use the same notation for splitting (f , fc) candelabra systems as those for (t, fc) 
candelabra systems. 

The following theorem is an extension of Hartman's Fundamental Construction 
[5] from (3, fc) candelabra systems to splitting (3, fc) candelabra systems. 

Theorem 5.1. If there exist a (3, fc)-CS(g" 1 • • • g" r : s), a splitting (3, fc' x c)- 
CS(m fc_1 : a), and a splitting GDD(3,fc' x c, mfc) of type m k , then there exists a 
splitting (3, fc' x c)-CS((gim) ni ■ ■ ■ (g r m) n - : m(s - 1) + a). 

Proof. Let (A, S, S,A) be a (3, fc)-CS((;" 1 ■ • • g" r : s), and let oo be a distinguished 
point in S. For Y C A, define the set of points 

P(Y) = ((Y \ {co}) x Z m ) U ({oo} x Z„). 

Further define 

S' = ((S\{oo})xZ m )U({oo}xZ a ) ) 

9' = {G x Z m : G G 9}. 

For each A G A containing the point oo, let 

(P(A), {co} x Z„, {{x} xZ m :xeA\ {oo}}, S A ) 

be a splitting (3, fc' x c)-CS(m fe ^ 1 : a), and for each A G .A not containing the point 
oo, let 

(A x Z m , {{.t} x Z ro : a; G A}, G A ) 
be a splitting GDD(3, fc' x c, 3m) of type m k . 
It is easy to check that (P(A), S', 9', A), where 

■A'=f U U e x ), 
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is the required splitting (3, k' x c)-CS((gim) ni ■ ■ ■ (g r m) nr : m(s — 1) + a). □ 

We can also fill in the groups of a splitting candelabra system by splitting 3- 
designs to obtain larger splitting 3-designs. 

Proposition 5.1. If there exists a splitting (3,fc x c)-CS(<7 1 !1 • ■ • g" r ■ s), where 
s < 2, and there exists a splitting 3-(<7i + s, k X c, 1) design for each i, 1 < i < r, 
then there exists a splitting 3-(s + X)I=i 9i n ii k X c,l) design. 

Proof. Let (X, S,3,A) be a splitting (3, k x c)-CS( ff " 1 • • • : s), where s < 2. 
For each G G 3, let (G U S, 23 G ) be a splitting 3-(|G| + s, k x c, f ) design. Then 
(X,.A U (Ucegf g)) is the required splitting 3-(s + X^=i k x c,l) design. □ 

To apply Theorem 5.1 and Proposition 5.1, we require some splitting candelabra 
systems to start with. 

Lemma 5.2. There exist a splitting (3,3 x 2)-CS(8 2 : 0) and a splitting (3,3 x 2)- 
CS(8 2 : 2). 

Proof. Let X = Z 16 and S = {{2i + j : < i < 7} : j e {0, 1}}. Let 

23 = 










1)1 


Vl4 






Then (X, 3,0,^1), where A = Usesi-B + 2i mod 16 : < i < 8}, is a splitting 
(3,3 x 2)-CS(8 2 : 0). 

Now let S = {x, y} be such that S P\ X = 0, and let 

2* + 2 ] {0,2,4,6} 
2.? + 3 / 

Then (!U{i,i/},S,g,iue) is a splitting (3, 3 x 2)-CS(8 2 : 2). □ 

We now establish an infinite family of splitting 3-designs. 

Theorem 5.3. A splitting 3-(w, 3x2,1) design exists if and only if v = 2 mod 8. 

Proof. Necessity of the condition v = 2 mod 8 follows from Proposition 2.1. 

Huber [7] has shown the existence of a splitting 3-(10,3 x 2,1) design, so we 
consider v > 10. Write v = 8m + 2, for some m > 2. Let X be a set of m + 1 points, 
containing oo as a distinguished point. It is easy to verify that (X, {oo}, {{x} : 
x e X \ {oo}}, (*)) is a (3,3)-CS(l m : 1). Apply Theorem 5.1 with a splitting 
(3, 3 x 2)-CS(8 2 : 2) (which exists by Lemma 5.2) and a splitting GDD(3, 3x2, 24) 
of type 8 3 (whose existence is implied by the trivial GDD(3, 3, 12) of type 4 3 and 
Corollary 2.1) to obtain a splitting (3,3 x 2)-CS(8 m : 2). Now apply Proposition 
5.1 to this splitting (3,3 x 2)-CS(8 m : 2) with a splitting 3-(10,3 x 2, 1) design to 
obtain a splitting 3- (8m + 2,3 x 2,1) design. □ 

6. Conclusion. Determining the existence of optimal c-splitting authentication 
codes with k source states that are (t — l)-fold secure against spoohng is a difficult 
problem, when fc, c and t are large. New constructions, both direct and recursive, 
need to be developed in order to make further progress on the problem. 
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